Disable AWS Services using Provider Management APIs

Overview

This guide explains how to disable specific AWS services across multiple AWS integrations (providers) using the Veza API. Limiting AWS service extraction can reduce processing overhead, help teams focus on relevant services, or exclude analytics platforms like DATABRICKS that may not be deployed or required for visibility in Veza. This is particularly useful for organizations with many AWS accounts who need to disable unused services at scale.

In the JSON AWS provider configuration, the services array acts as an allow list that controls which AWS services Veza will discover and extract:

  • Empty array [] = All available AWS services are enabled for discovery

  • Populated array = Only the listed services are enabled; all others are disabled

To disable specific services, you must populate the array with only the services you want to monitor.

Before you start

Before you update AWS provider services, ensure:

  • You have API access credentials for your Veza instance (see Authentication for API key setup)

  • You have the VEZA_TOKEN environment variable configured

  • You have the VEZA_URL environment variable set to your instance (e.g., https://yourcompany.cookiecloud.ai)

  • You have appropriate permissions to modify provider configurations

  • You understand that empty services arrays mean ALL services are enabled

Disable specific AWS services across providers

Step 1: Discover your current AWS providers

First, retrieve all AWS provider configurations to understand your current setup:

curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws"

Understanding the response:

  • Providers with empty services: [] arrays have ALL services enabled

  • Providers with populated services arrays only extract the listed services

  • Note the id, name, and account_id fields for providers you want to modify

Example response structure:

{
  "values": [
    {
      "id": "12345678-1234-5678-9012-123456789012",
      "name": "Production AWS Account", 
      "account_id": "123456789012",
      "services": [],
      "state": "ENABLED"
    },
    {
      "id": "87654321-4321-8765-2109-876543210987",
      "name": "Development AWS Account",
      "account_id": "987654321098", 
      "services": ["S3", "RDS_POSTGRES", "LAMBDA"],
      "state": "ENABLED"
    }
  ]
}

Step 2: Identify target providers and services

  1. Identify which providers to modify based on:

    • Provider names that match your AWS accounts

    • Account IDs that correspond to your AWS accounts

    • Current services configuration

  2. Determine your desired services configuration:

    Option A: Disable DATABRICKS only

    {
      "services": [
        "REDSHIFT", "REDSHIFT_CLUSTER", "S3", "RDS_POSTGRES", "RDS_MYSQL", 
        "RDS_ORACLE", "RDS", "DYNAMODB", "KMS", "EMR", "ORGANIZATIONS", 
        "EC2", "SSO", "COGNITO", "LAMBDA", "EKS", "SECRETS_MANAGER", 
        "ECR", "AWS_IAM"
      ]
    }

    Option B: Enable only specific services

    {
      "services": [
        "S3", "RDS_POSTGRES", "LAMBDA", "EC2", "AWS_IAM"
      ]
    }

    Option C: Custom configuration

Step 3: Test with a single provider

Before updating all providers, test with one provider first:

# Replace with your actual provider ID and desired services
curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{"services":["S3","RDS_POSTGRES","LAMBDA","EC2","AWS_IAM"]}' \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_HERE"

Verify the change:

curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_HERE"

Check that the response shows your desired services array.

Step 4: Apply to multiple providers

Update each provider individually using their specific IDs:

# Example for multiple providers - replace with your actual IDs and services
DESIRED_SERVICES='["S3","RDS_POSTGRES","DYNAMODB","LAMBDA","EC2","AWS_IAM"]'

# Provider 1
curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"services\":$DESIRED_SERVICES}" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_1"

# Provider 2  
curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"services\":$DESIRED_SERVICES}" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID_2"

Bulk approach (for many providers)

Create a script for bulk updates. Use with caution as this affects all AWS providers:

#!/bin/bash

# Configuration - CUSTOMIZE THESE VALUES
VEZA_URL="https://yourcompany.cookiecloud.ai"
DESIRED_SERVICES='["S3","RDS_POSTGRES","DYNAMODB","LAMBDA","EC2","AWS_IAM"]'

echo "Starting bulk AWS provider services update..."
echo "Target services: $DESIRED_SERVICES"
echo ""

# Get all AWS provider IDs
provider_ids=$(curl -s -H "Authorization: Bearer $VEZA_TOKEN" \
                    "$VEZA_URL/api/v1/providers/aws" | \
               jq -r '.values[].id')

if [ -z "$provider_ids" ]; then
    echo "Error: No AWS providers found or API call failed"
    exit 1
fi

# Count providers
provider_count=$(echo "$provider_ids" | wc -l)
echo "Found $provider_count AWS providers to update"
echo ""

# Add confirmation prompt
read -p "Continue with bulk update? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
    echo "Update cancelled"
    exit 0
fi

# Update each provider
echo "$provider_ids" | while read provider_id; do
    if [ -n "$provider_id" ]; then
        echo "Updating provider: $provider_id"
        
        response=$(curl -s -w "\nHTTP_STATUS:%{http_code}" -X PATCH \
                        -H "Authorization: Bearer $VEZA_TOKEN" \
                        -H "Content-Type: application/json" \
                        -d "{\"services\":$DESIRED_SERVICES}" \
                        "$VEZA_URL/api/v1/providers/aws/$provider_id")
        
        http_status=$(echo "$response" | grep "HTTP_STATUS" | cut -d: -f2)
        
        if [ "$http_status" = "200" ]; then
            echo "✓ Successfully updated provider $provider_id"
        else
            echo "✗ Failed to update provider $provider_id (HTTP $http_status)"
            echo "Response: $(echo "$response" | grep -v "HTTP_STATUS")"
        fi
        echo ""
    fi
done

echo "Bulk update completed"

Step 5: Verify changes

After updating providers, verify the changes took effect:

# Check all providers
curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws" | \
jq '.values[] | {id: .id, name: .name, services: .services}'

# Check specific provider
curl -H "Authorization: Bearer $VEZA_TOKEN" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID" | \
jq '{id: .id, name: .name, services: .services}'

Reversing changes

Re-enable all services

To return a provider to monitoring all services:

curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{"services":[]}' \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID"

Modify service configuration

To change which services are monitored:

# Example: Enable different set of services
NEW_SERVICES='["S3","LAMBDA","DYNAMODB","EC2"]'

curl -X PATCH \
     -H "Authorization: Bearer $VEZA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"services\":$NEW_SERVICES}" \
     "$VEZA_URL/api/v1/providers/aws/YOUR_PROVIDER_ID"

Available AWS services

The following AWS services can be included in the services array:

  • S3 - Simple Storage Service

  • RDS_POSTGRES - PostgreSQL databases

  • RDS_MYSQL - MySQL databases

  • RDS_ORACLE - Oracle databases

  • RDS - General RDS service

  • DYNAMODB - DynamoDB NoSQL database

  • REDSHIFT - Redshift data warehouse

  • REDSHIFT_CLUSTER - Redshift cluster management

  • EC2 - Elastic Compute Cloud (virtual machines)

  • LAMBDA - Serverless functions

  • EKS - Elastic Kubernetes Service

  • ECR - Elastic Container Registry

  • EMR - Elastic MapReduce (big data)

  • AWS_IAM - Identity and Access Management

  • KMS - Key Management Service

  • SECRETS_MANAGER - AWS Secrets Manager

  • COGNITO - User authentication service

  • SSO - AWS Single Sign-On

  • ORGANIZATIONS - AWS Organizations

  • DATABRICKS - Analytics platform

Important notes:

  • Service availability may vary by Veza version and configuration

  • Some services may require specific permissions or setup

  • When in doubt, check your Veza UI to see which services are available for your AWS providers

See also

Last updated

Was this helpful?